CVE-2025-64781
Open Redirect Vulnerability in GroupSession Versions Before
Publication date: 2025-12-12
Last updated on: 2026-02-17
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| groupsession | groupsession | to 5.7.1 (exc) |
| groupsession | groupsession | to 5.7.1 (exc) |
| groupsession | groupsession | to 5.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in GroupSession Free edition, GroupSession byCloud, and GroupSession ZION prior to version 5.7.1. The initial configuration sets the "External page display restriction" to "Do not limit," which allows a user to be redirected to an arbitrary website when accessing a specially crafted URL.
How can this vulnerability impact me? :
The vulnerability can lead to users being redirected to arbitrary websites, which may result in phishing attacks or exposure to malicious sites. This can compromise user trust and potentially lead to further security issues such as information theft or malware infection.
What immediate steps should I take to mitigate this vulnerability?
Users are advised to update GroupSession to version 5.7.1 or later to mitigate this vulnerability. [2]